Architectural Support for Software-Based Protection
Mihai Budiu Úlfar Erlingsson Martín Abadi
ASID Workshop, Oct 21, 2006
Silicon Valley
Summary
CFI XFI
Enforce control flow to prevent software attacks
[CCS 05] [ICFEM 05]
Protect modules within a single address space
[OSDI 06]
2
This work: add hardware supportThis work: add hardware support
Outline
• Control-Flow Integrity
• XFI: Protecting Modules• Conclusions
3
CFI Motivation
4
Control flow
Anatomy of many software attacks
CFI Idea
5
Executable Control-Flow Graph
+ =
Self-checking program
CFI Security Benefits
• Enforces CFG against attacker that controlswhole data memory
• Defends against a large class of attacks– Buffer overflows– Stack smashing– Jump-to-libc– Pointer subterfuge
• Validated experimentally
6
Code
Data
Stack
Embedding a CFG Edge
7
jmpc r1, 50......
cfilabel 60….cfilabel 50.....
jmp r1......
dest:.....
?
Traditional indirect jump New ISA: checked jump and label
Semantics
8
jmpc r1, L cfilabel L
cfi_register = L;jmp r1
if (cfi_register == L) cfi_register = 0
before any instructionexcept cfilabel
if (cfi_register != 0) cfi_exception()
Evaluation
9
Binary
Squeeze++binary rewriter
instrumentationalgorithm
Sim-alphasimulator
Alpha CC
Spec2k Sources
Instrumentedbinary
Performancedata
Linux
CFI Execution Overhead
Outline
• Control-Flow Integrity• XFI: Protecting Modules
• Conclusions11
XFI Motivation
12
OS Kernel Driver Driver
Ring 0 (high privilege)Single address space
Kernel heap
Shareddata structure
XFI Address Spaces
13
Host system XFI Module
Data R/OData
R/WData
Stacks
CodeCode
Entry points
Fastpathregion
A B Slowpathregion
Host heap
Memory Bounds Checks
14
Host system XFI Module
Data R/OData
R/WDataCodeCode
A B
Host heap
*(int*)x = 2;
if (x < A + 0) goto SlowpathCheck; if (B – sizeof(int) < x) goto SlowpathCheck;retfromSlowCheck: *(int*)x = 2;
2x
ISA Support for XFI
15
mrguard $r, L, H
If ($r < $a + L) XFI_exception()if ($b – H < $r) XFI_exception()
[$r – L, $r + H) [$a, $b)
A B
$rL H
Evaluation
16
Assembly
Sim-alphasimulator
Alpha CC
Mediabench Sources
Instrumentedbinary
Performancedata
Linux
HandinstrumentKernel
LinkObject files
Bounds Checks Overhead
17
Advantages of ISA SupportCompared with software solutions:• Reduce executable size• Reduce pressure on fetch structures
(I-cache, trace cache, br. predictors)• Decrease register pressure
(no intermediate results)• Do not pollute condition flags• Do not pollute the data cache
to fetch code label [CFI only]
18
Conclusions
• ISA support is very simple• ISA support does not stretch
critical hw resources
• ISA support can reduce the cost of CFI and XFI enforcement
19
Backup Slides 20
21
MSR Silicon Valley
22
Our Neighbors
GoogleNASA AMESMicrosoft SVC
23
We’re Going Into Architecture
We’re Hiring Computer Architects
24
• Exciting research opportunities• A chance to influence industry• A lot of creative freedom• A great interdisciplinary team• A brand new research group• A great location
research.microsoft.com/aboutmsr/labs/siliconvalley
CFI & XFI Toolchain
25
Compiler
Executable
Debugginginformation
ProgramBinary
rewriter
Safe executable
Unsafecode
Execution
Safecode
Verifier
Instrumentationalgorithm
Trusted computing base
CFI Software Implementation
26
jmpc r1, 50......
cfilabel 50.....
if (*r1 != 50) then goto error;goto r1+4;….
.data 50….
CFI Binary Size Increase
27